Stowage/godot
2
0
Fork 0
mirror of https://github.com/godotengine/godot.git synced 2025-10-20 00:13:30 +00:00
Code Issues Projects Releases Packages Wiki Activity

[TLS] Add support for platform-specific CA bundles.

Browse source 
Adds a new OS::get_system_ca_certs method which can be implemented by
platforms to retrieve the list of trusted CA certificates using OS
specific APIs.

The function should return the certificates in PEM format, and is
currently implemented for Windows/macOS/LinuxBSD(*)/Android.

mbedTLS will fall back to bundled certificates when the OS returns no
certificates.

(*) LinuxBSD does not have a standardized certificates store location.
    The current implementation will test for common locations and may
    return an empty string on some distributions (falling back to the
    bundled certificates).
This commit is contained in:
Fabio Alessandrelli 2023-04-13 21:17:55 +02:00
parent 4e1d5be9d3
commit 6fd9982358
17 changed files with 180 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

35
platform/linuxbsd/os_linuxbsd.cpp
View file

@ -30,6 +30,7 @@
#include "os_linuxbsd.h"
#include "core/io/certs_compressed.gen.h"
#include "core/io/dir_access.h"
#include "main/main.h"
#include "servers/display_server.h"
@ -1080,6 +1081,40 @@ Error OS_LinuxBSD::move_to_trash(const String &p_path) {
return OK;
}
String OS_LinuxBSD::get_system_ca_certificates() {
String certfile;
Ref<DirAccess> da = DirAccess::create(DirAccess::ACCESS_FILESYSTEM);
// Compile time preferred certificates path.
if (!String(_SYSTEM_CERTS_PATH).is_empty() && da->file_exists(_SYSTEM_CERTS_PATH)) {
certfile = _SYSTEM_CERTS_PATH;
} else if (da->file_exists("/etc/ssl/certs/ca-certificates.crt")) {
// Debian/Ubuntu
certfile = "/etc/ssl/certs/ca-certificates.crt";
} else if (da->file_exists("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem")) {
// Fedora
certfile = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem";
} else if (da->file_exists("/etc/ca-certificates/extracted/tls-ca-bundle.pem")) {
// Arch Linux
certfile = "/etc/ca-certificates/extracted/tls-ca-bundle.pem";
} else if (da->file_exists("/var/lib/ca-certificates/ca-bundle.pem")) {
// openSUSE
certfile = "/var/lib/ca-certificates/ca-bundle.pem";
} else if (da->file_exists("/etc/ssl/cert.pem")) {
// FreeBSD/OpenBSD
certfile = "/etc/ssl/cert.pem";
}
if (certfile.is_empty()) {
return "";
}
Ref<FileAccess> f = FileAccess::open(certfile, FileAccess::READ);
ERR_FAIL_COND_V_MSG(f.is_null(), "", vformat("Failed to open system CA certificates file: '%s'", certfile));
return f->get_as_text();
}
OS_LinuxBSD::OS_LinuxBSD() {
main_loop = nullptr;